commit: b1653f03b6503d27c0ddb176c478982878dd955c
Author: Andreas K. Hüttel <dilfridge <AT> gentoo <DOT> org>
AuthorDate: Sat Jul 3 18:55:09 2021 +0000
Commit: Andreas K. Hüttel <dilfridge <AT> gentoo <DOT> org>
CommitDate: Sat Jul 3 18:55:09 2021 +0000
URL: https://gitweb.gentoo.org/proj/releng.git/commit/?id=b1653f03
add a simple packet filter for demeter
Signed-off-by: Andreas K. Hüttel <dilfridge <AT> gentoo.org>
config/fwbuilder/demeter.fw | 522 +++++++++++++++++++++++++++++
config/fwbuilder/demeter.fwb | 662 +++++++++++++++++++++++++++++++++++++
config/fwbuilder/fwbuilder.service | 14 +
3 files changed, 1198 insertions(+)
diff --git a/config/fwbuilder/demeter.fw b/config/fwbuilder/demeter.fw
new file mode 100755
index 00000000..af0e36ed
--- /dev/null
+++ b/config/fwbuilder/demeter.fw
@@ -0,0 +1,522 @@
+#!/bin/sh
+#
+# This is automatically generated file. DO NOT MODIFY !
+#
+# Firewall Builder fwb_ipt v5.3.7
+#
+# Generated Sat Jul 3 20:39:41 2021 CEST by huettel
+#
+# files: * demeter.fw /etc/demeter.fw
+#
+# Compiled for iptables (any version)
+#
+# This is an example of a firewall protecting a host ( a server or a
workstation). Only SSH access to the host is permitted. Host has dynamic
address.
+
+
+
+
+FWBDEBUG=""
+
+PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"
+export PATH
+
+
+
+LSMOD="lsmod"
+MODPROBE="modprobe"
+IPTABLES="iptables"
+IP6TABLES="ip6tables"
+IPTABLES_RESTORE="iptables-restore"
+IP6TABLES_RESTORE="ip6tables-restore"
+IP="ip"
+IFCONFIG="ifconfig"
+VCONFIG="vconfig"
+BRCTL="brctl"
+IFENSLAVE="ifenslave"
+IPSET="ipset"
+LOGGER="logger"
+
+log() {
+ echo "$1"
+ which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1"
+}
+
+getInterfaceVarName() {
+ echo $1 | sed 's/\./_/'
+}
+
+getaddr_internal() {
+ dev=$1
+ name=$2
+ af=$3
+ L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}'
| sed 's/peer.*//')
+ test -z "$L" && {
+ eval "$name=''"
+ return
+ }
+ eval "${name}_list=\"$L\""
+}
+
+getnet_internal() {
+ dev=$1
+ name=$2
+ af=$3
+ L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's!
.*$!!')
+ test -z "$L" && {
+ eval "$name=''"
+ return
+ }
+ eval "${name}_list=\"$L\""
+}
+
+
+getaddr() {
+ getaddr_internal $1 $2 "-4"
+}
+
+getaddr6() {
+ getaddr_internal $1 $2 "-6"
+}
+
+getnet() {
+ getnet_internal $1 $2 "-4"
+}
+
+getnet6() {
+ getnet_internal $1 $2 "-6"
+}
+
+# function getinterfaces is used to process wildcard interfaces
+getinterfaces() {
+ NAME=$1
+ $IP link show | grep ": $NAME" | while read L; do
+ OIFS=$IFS
+ IFS=" :"
+ set $L
+ IFS=$OIFS
+ echo $2
+ done
+}
+
+diff_intf() {
+ func=$1
+ list1=$2
+ list2=$3
+ cmd=$4
+ for intf in $list1
+ do
+ echo $list2 | grep -q $intf || {
+ # $vlan is absent in list 2
+ $func $intf $cmd
+ }
+ done
+}
+
+find_program() {
+ PGM=$1
+ which $PGM >/dev/null 2>&1 || {
+ echo "\"$PGM\" not found"
+ exit 1
+ }
+}
+check_tools() {
+ find_program which
+ find_program $IPTABLES
+ find_program $MODPROBE
+ find_program $IP
+}
+reset_iptables_v4() {
+ local list
+
+ $IPTABLES -P OUTPUT DROP
+ $IPTABLES -P INPUT DROP
+ $IPTABLES -P FORWARD DROP
+
+ while read table; do
+ list=$($IPTABLES -t $table -L -n)
+ printf "%s" "$list" | while read c chain rest; do
+ if test "X$c" = "XChain" ; then
+ $IPTABLES -t $table -F $chain
+ fi
+ done
+ $IPTABLES -t $table -X
+ done < /proc/net/ip_tables_names
+}
+
+reset_iptables_v6() {
+ local list
+
+ $IP6TABLES -P OUTPUT DROP
+ $IP6TABLES -P INPUT DROP
+ $IP6TABLES -P FORWARD DROP
+
+ while read table; do
+ list=$($IP6TABLES -t $table -L -n)
+ printf "%s" "$list" | while read c chain rest; do
+ if test "X$c" = "XChain" ; then
+ $IP6TABLES -t $table -F $chain
+ fi
+ done
+ $IP6TABLES -t $table -X
+ done < /proc/net/ip6_tables_names
+}
+
+
+P2P_INTERFACE_WARNING=""
+
+missing_address() {
+ address=$1
+ cmd=$2
+
+ oldIFS=$IFS
+ IFS="@"
+ set $address
+ addr=$1
+ interface=$2
+ IFS=$oldIFS
+
+
+
+ $IP addr show dev $interface | grep -q POINTOPOINT && {
+ test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update
address of interface $interface. fwbuilder can not manage addresses of
point-to-point interfaces yet"
+ P2P_INTERFACE_WARNING="yes"
+ return
+ }
+
+ test "$cmd" = "add" && {
+ echo "# Adding ip address: $interface $addr"
+ echo $addr | grep -q ':' && {
+ $FWBDEBUG $IP addr $cmd $addr dev $interface
+ } || {
+ $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface
+ }
+ }
+
+ test "$cmd" = "del" && {
+ echo "# Removing ip address: $interface $addr"
+ $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1
+ }
+
+ $FWBDEBUG $IP link set $interface up
+}
+
+list_addresses_by_scope() {
+ interface=$1
+ scope=$2
+ ignore_list=$3
+ $IP addr ls dev $interface | \
+ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \
+ 'BEGIN {
+ split(IGNORED,ignored_arr);
+ for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;}
+ }
+ (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}'
| \
+ while read addr; do
+ echo "${addr}@$interface"
+ done | sort
+}
+
+
+update_addresses_of_interface() {
+ ignore_list=$2
+ set $1
+ interface=$1
+ shift
+
+ FWB_ADDRS=$(
+ for addr in $*; do
+ echo "${addr}@$interface"
+ done | sort
+ )
+
+ CURRENT_ADDRS_ALL_SCOPES=""
+ CURRENT_ADDRS_GLOBAL_SCOPE=""
+
+ $IP link show dev $interface >/dev/null 2>&1 && {
+ CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*'
"$ignore_list")
+ CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope
global' "$ignore_list")
+ } || {
+ echo "# Interface $interface does not exist"
+ # Stop the script if we are not in test mode
+ test -z "$FWBDEBUG" && exit 1
+ }
+
+ diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add
+ diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del
+}
+
+clear_addresses_except_known_interfaces() {
+ $IP link show | sed 's/://g' | awk -v IGNORED="$*" \
+ 'BEGIN {
+ split(IGNORED,ignored_arr);
+ for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;}
+ }
+ (/state/ && !($2 in ignored_dict)) {print $2;}' | \
+ while read intf; do
+ echo "# Removing addresses not configured in fwbuilder from
interface $intf"
+ $FWBDEBUG $IP addr flush dev $intf scope global
+ $FWBDEBUG $IP link set $intf down
+ done
+}
+
+check_file() {
+ test -r "$2" || {
+ echo "Can not find file $2 referenced by address table object $1"
+ exit 1
+ }
+}
+
+check_run_time_address_table_files() {
+ :
+
+}
+
+load_modules() {
+ :
+ OPTS=$1
+ MODULES_DIR="/lib/modules/`uname -r`/kernel/net/"
+ MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e
's/^.*\///' -e 's/\([^\.]\)\..*/\1/')
+ echo $OPTS | grep -q nat && {
+ MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e
's/^.*\///' -e 's/\([^\.]\)\..*/\1/')"
+ }
+ echo $OPTS | grep -q ipv6 && {
+ MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e
's/^.*\///' -e 's/\([^\.]\)\..*/\1/')"
+ }
+ for module in $MODULES; do
+ if $LSMOD | grep ${module} >/dev/null; then continue; fi
+ $MODPROBE ${module} || exit 1
+ done
+}
+
+verify_interfaces() {
+ :
+ echo "Verifying interfaces: eth0 lo"
+ for i in eth0 lo ; do
+ $IP link show "$i" > /dev/null 2>&1 || {
+ log "Interface $i does not exist"
+ exit 1
+ }
+ done
+}
+
+prolog_commands() {
+ echo "Running prolog script"
+
+}
+
+epilog_commands() {
+ echo "Running epilog script"
+
+}
+
+run_epilog_and_exit() {
+ epilog_commands
+ exit $1
+}
+
+configure_interfaces() {
+ :
+ # Configure interfaces
+ update_addresses_of_interface "lo 127.0.0.1/8" ""
+ getaddr eth0 i_eth0
+ getaddr6 eth0 i_eth0_v6
+ getnet eth0 i_eth0_network
+ getnet6 eth0 i_eth0_v6_network
+}
+
+script_body() {
+ # ================ IPv4
+
+
+ # ================ Table 'filter', automatic rules
+ # accept established sessions
+ $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+ $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+ $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+
+
+
+
+
+ # ================ Table 'filter', rule set Policy
+ #
+ # Rule 0 (eth0)
+ #
+ echo "Rule 0 (eth0)"
+ #
+ # anti spoofing rule
+ $IPTABLES -N In_RULE_0
+ for i_eth0 in $i_eth0_list
+ do
+ test -n "$i_eth0" && $IPTABLES -A INPUT -i eth0 -s $i_eth0 -m state
--state NEW -j In_RULE_0
+ done
+ for i_eth0 in $i_eth0_list
+ do
+ test -n "$i_eth0" && $IPTABLES -A FORWARD -i eth0 -s $i_eth0 -m state
--state NEW -j In_RULE_0
+ done
+ $IPTABLES -A In_RULE_0 -j LOG --log-level info --log-prefix "RULE 0 --
DENY "
+ $IPTABLES -A In_RULE_0 -j DROP
+ #
+ # Rule 1 (lo)
+ #
+ echo "Rule 1 (lo)"
+ #
+ $IPTABLES -A INPUT -i lo -m state --state NEW -j ACCEPT
+ $IPTABLES -A OUTPUT -o lo -m state --state NEW -j ACCEPT
+ #
+ # Rule 2 (global)
+ #
+ echo "Rule 2 (global)"
+ #
+ # SSH Access to the host; useful ICMP
+ # types; ping request
+ $IPTABLES -N Cid4543X4142577.0
+ for i_eth0 in $i_eth0_list
+ do
+ test -n "$i_eth0" && $IPTABLES -A OUTPUT -d $i_eth0 -m state --state
NEW -j Cid4543X4142577.0
+ done
+ $IPTABLES -A Cid4543X4142577.0 -p icmp -m icmp --icmp-type 3 -j ACCEPT
+ $IPTABLES -A Cid4543X4142577.0 -p icmp -m icmp --icmp-type 0/0 -j
ACCEPT
+ $IPTABLES -A Cid4543X4142577.0 -p icmp -m icmp --icmp-type 8/0 -j
ACCEPT
+ $IPTABLES -A Cid4543X4142577.0 -p icmp -m icmp --icmp-type 11/0 -j
ACCEPT
+ $IPTABLES -A Cid4543X4142577.0 -p icmp -m icmp --icmp-type 11/1 -j
ACCEPT
+ $IPTABLES -A Cid4543X4142577.0 -p tcp -m tcp --dport 22 -j ACCEPT
+ $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 3 -m state --state NEW
-j ACCEPT
+ $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 0/0 -m state --state
NEW -j ACCEPT
+ $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 8/0 -m state --state
NEW -j ACCEPT
+ $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 11/0 -m state --state
NEW -j ACCEPT
+ $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 11/1 -m state --state
NEW -j ACCEPT
+ $IPTABLES -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j
ACCEPT
+ #
+ # Rule 3 (global)
+ #
+ echo "Rule 3 (global)"
+ #
+ for i_eth0 in $i_eth0_list
+ do
+ test -n "$i_eth0" && $IPTABLES -A INPUT -s $i_eth0 -m state --state NEW
-j ACCEPT
+ done
+ $IPTABLES -A OUTPUT -m state --state NEW -j ACCEPT
+ #
+ # Rule 4 (global)
+ #
+ echo "Rule 4 (global)"
+ #
+ $IPTABLES -A OUTPUT -m state --state NEW -j DROP
+ $IPTABLES -A INPUT -m state --state NEW -j DROP
+ $IPTABLES -A FORWARD -m state --state NEW -j DROP
+}
+
+ip_forward() {
+ :
+ echo 1 > /proc/sys/net/ipv4/ip_forward
+}
+
+reset_all() {
+ :
+ reset_iptables_v4
+}
+
+block_action() {
+ reset_all
+}
+
+stop_action() {
+ reset_all
+ $IPTABLES -P OUTPUT ACCEPT
+ $IPTABLES -P INPUT ACCEPT
+ $IPTABLES -P FORWARD ACCEPT
+}
+
+check_iptables() {
+ IP_TABLES="$1"
+ [ ! -e $IP_TABLES ] && return 151
+ NF_TABLES=$(cat $IP_TABLES 2>/dev/null)
+ [ -z "$NF_TABLES" ] && return 152
+ return 0
+}
+status_action() {
+ check_iptables "/proc/net/ip_tables_names"
+ ret_ipv4=$?
+ check_iptables "/proc/net/ip6_tables_names"
+ ret_ipv6=$?
+ [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0
+ [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && {
+ echo "iptables modules are not loaded"
+ }
+ [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && {
+ echo "Firewall is not configured"
+ }
+ exit 3
+}
+
+# See how we were called.
+# For backwards compatibility missing argument is equivalent to 'start'
+
+cmd=$1
+test -z "$cmd" && {
+ cmd="start"
+}
+
+case "$cmd" in
+ start)
+ log "Activating firewall script generated Sat Jul 3 20:39:41 2021 by
huettel"
+ check_tools
+ prolog_commands
+ check_run_time_address_table_files
+
+ load_modules " "
+ configure_interfaces
+ verify_interfaces
+
+ reset_all
+
+ script_body
+ ip_forward
+
+ epilog_commands
+ RETVAL=$?
+ ;;
+
+ stop)
+ stop_action
+ RETVAL=$?
+ ;;
+
+ status)
+ status_action
+ RETVAL=$?
+ ;;
+
+ block)
+ block_action
+ RETVAL=$?
+ ;;
+
+ reload)
+ $0 stop
+ $0 start
+ RETVAL=$?
+ ;;
+
+ interfaces)
+ configure_interfaces
+ RETVAL=$?
+ ;;
+
+ test_interfaces)
+ FWBDEBUG="echo"
+ configure_interfaces
+ RETVAL=$?
+ ;;
+
+
+
+ *)
+ echo "Usage $0
[start|stop|status|block|reload|interfaces|test_interfaces]"
+ ;;
+
+esac
+
+exit $RETVAL
\ No newline at end of file
diff --git a/config/fwbuilder/demeter.fwb b/config/fwbuilder/demeter.fwb
new file mode 100644
index 00000000..2a433ef3
--- /dev/null
+++ b/config/fwbuilder/demeter.fwb
@@ -0,0 +1,662 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
+<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/"; version="24"
lastModified="1625337369" id="root">
+ <Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard
objects" ro="True">
+ <AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False"
address="0.0.0.0" netmask="0.0.0.0"/>
+ <AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP
Service" ro="False"/>
+ <AnyInterval id="sysid2" days_of_week="0,1,2,3,4,5,6" from_day="-1"
from_hour="-1" from_minute="-1" from_month="-1" from_weekday="-1"
from_year="-1" to_day="-1" to_hour="-1" to_minute="-1" to_month="-1"
to_weekday="-1" to_year="-1" name="Any" comment="Any Interval" ro="False"/>
+ <DummyNetwork id="dummyaddressid0" name="Dummy" comment="Dummy Network"
ro="False" address="255.255.255.255" netmask="255.255.255.255"/>
+ <DummyIPService id="dummyserviceid0" protocol_num="0" name="Dummy"
comment="Dummy IP Service" ro="False"/>
+ <DummyInterface id="dummyinterfaceid0" dedicated_failover="False"
dyn="False" security_level="0" unnum="True" unprotected="False" name="Dummy"
comment="Dummy Interface" ro="False">
+ <InterfaceOptions/>
+ </DummyInterface>
+ <ObjectGroup id="stdid01" name="Objects" comment="" ro="False">
+ <ObjectGroup id="stdid16" name="Addresses" comment="" ro="False">
+ <IPv4 id="id2001X88798" name="all-hosts" comment="" ro="False"
address="224.0.0.1" netmask="0.0.0.0"/>
+ <IPv4 id="id2002X88798" name="all-routers" comment="" ro="False"
address="224.0.0.2" netmask="0.0.0.0"/>
+ <IPv4 id="id2003X88798" name="all DVMRP" comment="" ro="False"
address="224.0.0.4" netmask="0.0.0.0"/>
+ <IPv4 id="id2117X88798" name="OSPF (all routers)" comment="RFC2328"
ro="False" address="224.0.0.5" netmask="0.0.0.0"/>
+ <IPv4 id="id2128X88798" name="OSPF (designated routers)"
comment="RFC2328" ro="False" address="224.0.0.6" netmask="0.0.0.0"/>
+ <IPv4 id="id2430X88798" name="RIP" comment="RFC1723" ro="False"
address="224.0.0.9" netmask="0.0.0.0"/>
+ <IPv4 id="id2439X88798" name="EIGRP" comment="" ro="False"
address="224.0.0.10" netmask="0.0.0.0"/>
+ <IPv4 id="id2446X88798" name="DHCP server, relay agent" comment="RFC
1884" ro="False" address="224.0.0.12" netmask="0.0.0.0"/>
+ <IPv4 id="id2455X88798" name="PIM" comment="" ro="False"
address="224.0.0.13" netmask="0.0.0.0"/>
+ <IPv4 id="id2462X88798" name="RSVP" comment="" ro="False"
address="224.0.0.14" netmask="0.0.0.0"/>
+ <IPv4 id="id2469X88798" name="VRRP" comment="RFC3768" ro="False"
address="224.0.0.18" netmask="0.0.0.0"/>
+ <IPv4 id="id2777X88798" name="IGMP" comment="" ro="False"
address="224.0.0.22" netmask="0.0.0.0"/>
+ <IPv4 id="id2784X88798" name="OSPFIGP-TE" comment="RFC4973" ro="False"
address="224.0.0.24" netmask="0.0.0.0"/>
+ <IPv4 id="id3094X88798" name="HSRP" comment="" ro="False"
address="224.0.0.102" netmask="0.0.0.0"/>
+ <IPv4 id="id3403X88798" name="mDNS" comment="" ro="False"
address="224.0.0.251" netmask="0.0.0.0"/>
+ <IPv4 id="id3410X88798" name="LLMNR" comment="Link-Local Multicast
Name Resolution, RFC4795" ro="False" address="224.0.0.252" netmask="0.0.0.0"/>
+ <IPv4 id="id3411X88798" name="Teredo" comment="" ro="False"
address="224.0.0.253" netmask="0.0.0.0"/>
+ </ObjectGroup>
+ <ObjectGroup id="stdid17" name="DNS Names" comment="" ro="False"/>
+ <ObjectGroup id="stdid18" name="Address Tables" comment="" ro="False"/>
+ <ObjectGroup id="stdid04" name="Groups" comment="" ro="False">
+ <ObjectGroup id="id3DC75CE8" name="rfc1918-nets" comment="" ro="False">
+ <ObjectRef ref="id3DC75CE5"/>
+ <ObjectRef ref="id3DC75CE6"/>
+ <ObjectRef ref="id3DC75CE7"/>
+ </ObjectGroup>
+ <ObjectGroup id="id3292X75851" name="ipv6 private" comment="These are
various ipv6 networks that should not be routed on the Internet "
ro="False">
+ <ObjectRef ref="id2088X75851"/>
+ <ObjectRef ref="id2986X75851"/>
+ <ObjectRef ref="id2383X75851"/>
+ </ObjectGroup>
+ </ObjectGroup>
+ <ObjectGroup id="stdid02" name="Hosts" comment="" ro="False">
+ <Host id="id3D84EECE" name="internal server" comment="This host is
used in examples and template objects" ro="False">
+ <Interface id="id3D84EED2" dedicated_failover="False" dyn="False"
security_level="0" unnum="False" unprotected="False" name="eth0" comment=""
ro="False">
+ <IPv4 id="id3D84EED3" name="ip" comment="" ro="False"
address="192.168.1.10" netmask="255.255.255.0"/>
+ <InterfaceOptions/>
+ </Interface>
+ <Management address="192.168.1.10">
+ <SNMPManagement enabled="False" snmp_read_community=""
snmp_write_community=""/>
+ <FWBDManagement enabled="False" identity="" port="-1"/>
+ <PolicyInstallScript arguments="" command="" enabled="False"/>
+ </Management>
+ <HostOptions>
+ <Option name="snmp_contact"/>
+ <Option name="snmp_description"/>
+ <Option name="snmp_location"/>
+ <Option name="use_mac_addr">false</Option>
+ <Option name="use_mac_addr_filter">False</Option>
+ </HostOptions>
+ </Host>
+ <Host id="id3D84EECF" name="server on dmz" comment="This host is used
in examples and template objects" ro="False">
+ <Interface id="id3D84EEE3" dedicated_failover="False" dyn="False"
security_level="0" unnum="False" unprotected="False" name="eth0" comment=""
ro="False">
+ <IPv4 id="id3D84EEE4" name="ip" comment="" ro="False"
address="192.168.2.10" netmask="255.255.255.0"/>
+ <InterfaceOptions/>
+ </Interface>
+ <Management address="192.168.2.10">
+ <SNMPManagement enabled="False" snmp_read_community=""
snmp_write_community=""/>
+ <FWBDManagement enabled="False" identity="" port="-1"/>
+ <PolicyInstallScript arguments="" command="" enabled="False"/>
+ </Management>
+ <HostOptions>
+ <Option name="snmp_contact"/>
+ <Option name="snmp_description"/>
+ <Option name="snmp_location"/>
+ <Option name="use_mac_addr">false</Option>
+ <Option name="use_mac_addr_filter">False</Option>
+ </HostOptions>
+ </Host>
+ </ObjectGroup>
+ <ObjectGroup id="stdid03" name="Networks" comment="" ro="False">
+ <Network id="id3DC75CEC" name="all multicasts" comment="224.0.0.0/4 -
This block, formerly known as the Class D address space, is allocated for
use in IPv4 multicast address assignments. The IANA guidelines for
assignments from this space are described in [RFC3171]. " ro="False"
address="224.0.0.0" netmask="240.0.0.0"/>
+ <Network id="id3F4ECE3E" name="link-local" comment="169.254.0.0/16 -
This is the "link local" block. It is allocated
for communication between hosts on a single link. Hosts obtain
these addresses by auto-configuration, such as when a DHCP server may
not be found. " ro="False" address="169.254.0.0" netmask="255.255.0.0"/>
+ <Network id="id3F4ECE3D" name="loopback-net" comment="127.0.0.0/8 -
This block is assigned for use as the Internet host loopback address. A
datagram sent by a higher level protocol to an address anywhere within this
block should loop back inside the host. This is ordinarily implemented
using only 127.0.0.1/32 for loopback, but no addresses within this block
should ever appear on any network anywhere [RFC1700, page 5]. "
ro="False" address="127.0.0.0" netmask="255.0.0.0"/>
+ <Network id="id3DC75CE5" name="net-10.0.0.0" comment="10.0.0.0/8 -
This block is set aside for use in private networks. Its intended use is
documented in [RFC1918]. Addresses within this block should not appear on
the public Internet." ro="False" address="10.0.0.0" netmask="255.0.0.0"/>
+ <Network id="id3DC75CE7" name="net-172.16.0.0" comment="172.16.0.0/12
- This block is set aside for use in private networks. Its intended use is
documented in [RFC1918]. Addresses within this block should not appear on
the public Internet. " ro="False" address="172.16.0.0"
netmask="255.240.0.0"/>
+ <Network id="id3DC75CE6" name="net-192.168.0.0"
comment="192.168.0.0/16 - This block is set aside for use in private
networks. Its intended use is documented in [RFC1918]. Addresses within
this block should not appear on the public Internet. " ro="False"
address="192.168.0.0" netmask="255.255.0.0"/>
+ <Network id="id3F4ECE3F" name="test-net" comment="192.0.2.0/24 - This
block is assigned as "TEST-NET" for use in documentation and
example code. It is often used in conjunction with domain names
example.com or example.net in vendor and protocol documentation. Addresses
within this block should not appear on the public Internet. "
ro="False" address="192.0.2.0" netmask="255.255.255.0"/>
+ <Network id="id3F4ECE40" name="this-net" comment="0.0.0.0/8 -
Addresses in this block refer to source hosts on "this" network.
Address 0.0.0.0/32 may be used as a source address for this host on this
network; other addresses within 0.0.0.0/8 may be used to refer to specified
hosts on this network [RFC1700, page 4]." ro="False" address="0.0.0.0"
netmask="255.0.0.0"/>
+ <Network id="id3DC75CE7-1" name="net-192.168.1.0"
comment="192.168.1.0/24 - Address often used for home and small office
networks. " ro="False" address="192.168.1.0" netmask="255.255.255.0"/>
+ <Network id="id3DC75CE7-2" name="net-192.168.2.0"
comment="192.168.2.0/24 - Address often used for home and small office
networks. " ro="False" address="192.168.2.0" netmask="255.255.255.0"/>
+ <NetworkIPv6 id="id2088X75851" name="documentation net"
comment="RFC3849" ro="False" address="2001:db8::" netmask="32"/>
+ <NetworkIPv6 id="id2383X75851" name="link-local ipv6" comment="RFC4291
Link-local unicast net" ro="False" address="fe80::" netmask="10"/>
+ <NetworkIPv6 id="id2685X75851" name="multicast ipv6" comment="RFC4291
ipv6 multicast addresses" ro="False" address="ff00::" netmask="8"/>
+ <NetworkIPv6 id="id2986X75851" name="experimental ipv6"
comment="RFC2928, RFC4773 "The block of Sub-TLA IDs assigned to
the IANA (i.e., 2001:0000::/29 - 2001:01F8::/29) is for assignment for
testing and experimental usage to support activities such as the 6bone,
and for new approaches like exchanges." [RFC2928] "
ro="False" address="2001::" netmask="23"/>
+ <Network id="id3289X12564" name="TEST-NET-2" comment="RFC 5735 RFC
5737 " ro="False" address="198.51.100.0" netmask="255.255.255.0"/>
+ <Network id="id3300X12564" name="TEST-NET-3" comment="RFC 5735 RFC
5737" ro="False" address="203.0.113.0" netmask="255.255.255.0"/>
+ <Network id="id3311X12564" name="Benchmark tests network" comment="RFC
5735" ro="False" address="198.18.0.0" netmask="255.254.0.0"/>
+ <NetworkIPv6 id="id3326X12564" name="mapped-ipv4" comment=""
ro="False" address="::ffff:0.0.0.0" netmask="96"/>
+ <NetworkIPv6 id="id3341X12564" name="translated-ipv4" comment=""
ro="False" address="::ffff:0:0:0" netmask="96"/>
+ <NetworkIPv6 id="id3350X12564" name="Teredo" comment="" ro="False"
address="2001::" netmask="32"/>
+ <NetworkIPv6 id="id3359X12564" name="unique-local" comment=""
ro="False" address="fc00::" netmask="7"/>
+ </ObjectGroup>
+ <ObjectGroup id="stdid15" name="Address Ranges" comment="" ro="False">
+ <AddressRange id="id3F6D115C" name="broadcast" comment="" ro="False"
start_address="255.255.255.255" end_address="255.255.255.255"/>
+ <AddressRange id="id3F6D115D" name="old-broadcast" comment=""
ro="False" start_address="0.0.0.0" end_address="0.0.0.0"/>
+ </ObjectGroup>
+ </ObjectGroup>
+ <ServiceGroup id="stdid05" name="Services" comment="" ro="False">
+ <CustomService id="stdid14_1" name="ESTABLISHED" comment="This service
matches all packets which are part of network connections established through
the firewall, or connections 'related' to those established through the
firewall. Term 'established' refers to the state tracking mechanism which
exists inside iptables and other stateful firewalls and does not mean any
particular combination of packet header options. Packet is considered to
correspond to the state 'ESTABLISHED' if it belongs to the network session, for
which proper initiation has been seen by the firewall, so its stateful
inspection module made appropriate record in the state table. Usually stateful
firewalls keep track of network connections using not only tcp protocol, but
also udp and sometimes even icmp protocols. 'RELATED' describes packet
belonging to a separate network connection, related to the session firewall is
keeping track of. One example is FTP command and FTP data sessions." ro="False"
protocol="an
y" address_family="ipv4">
+ <CustomServiceCommand platform="Undefined"/>
+ <CustomServiceCommand
platform="iosacl">established</CustomServiceCommand>
+ <CustomServiceCommand platform="ipfilter"/>
+ <CustomServiceCommand
platform="ipfw">established</CustomServiceCommand>
+ <CustomServiceCommand platform="iptables">-m state --state
ESTABLISHED,RELATED</CustomServiceCommand>
+ <CustomServiceCommand
platform="junosacl">tcp-established</CustomServiceCommand>
+ <CustomServiceCommand
platform="nxosacl">established</CustomServiceCommand>
+ <CustomServiceCommand
platform="procurve_acl">established</CustomServiceCommand>
+ </CustomService>
+ <CustomService id="stdid14_2" name="ESTABLISHED ipv6" comment="This
service matches all packets which are part of network connections established
through the firewall, or connections 'related' to those established through the
firewall. Term 'established' refers to the state tracking mechanism which
exists inside iptables and other stateful firewalls and does not mean any
particular combination of packet header options. Packet is considered to
correspond to the state 'ESTABLISHED' if it belongs to the network session, for
which proper initiation has been seen by the firewall, so its stateful
inspection module made appropriate record in the state table. Usually stateful
firewalls keep track of network connections using not only tcp protocol, but
also udp and sometimes even icmp protocols. 'RELATED' describes packet
belonging to a separate network connection, related to the session firewall is
keeping track of. One example is FTP command and FTP data sessions." ro="False"
protoco
l="any" address_family="ipv6">
+ <CustomServiceCommand platform="Undefined"/>
+ <CustomServiceCommand
platform="iosacl">established</CustomServiceCommand>
+ <CustomServiceCommand platform="ipfilter"/>
+ <CustomServiceCommand
platform="ipfw">established</CustomServiceCommand>
+ <CustomServiceCommand platform="iptables">-m state --state
ESTABLISHED,RELATED</CustomServiceCommand>
+ <CustomServiceCommand
platform="junosacl">tcp-established</CustomServiceCommand>
+ <CustomServiceCommand
platform="nxosacl">established</CustomServiceCommand>
+ <CustomServiceCommand
platform="procurve_acl">established</CustomServiceCommand>
+ </CustomService>
+ <ServiceGroup id="stdid10" name="Groups" comment="" ro="False">
+ <ServiceGroup id="sg-DHCP" name="DHCP" comment="" ro="False">
+ <ServiceRef ref="udp-bootpc"/>
+ <ServiceRef ref="udp-bootps"/>
+ </ServiceGroup>
+ <ServiceGroup id="id3F530CC8" name="DNS" comment="" ro="False">
+ <ServiceRef ref="udp-DNS"/>
+ <ServiceRef ref="tcp-DNS"/>
+ </ServiceGroup>
+ <ServiceGroup id="id3CB1279B" name="IPSEC" comment="" ro="False">
+ <ServiceRef ref="id3CB12797"/>
+ <ServiceRef ref="ip-IPSEC"/>
+ </ServiceGroup>
+ <ServiceGroup id="sg-NETBIOS" name="NETBIOS" comment="" ro="False">
+ <ServiceRef ref="udp-netbios-dgm"/>
+ <ServiceRef ref="udp-netbios-ns"/>
+ <ServiceRef ref="id3E755609"/>
+ </ServiceGroup>
+ <ServiceGroup id="id3CB131CC" name="PCAnywhere" comment="" ro="False">
+ <ServiceRef ref="id3CB131CA"/>
+ <ServiceRef ref="id3CB131C8"/>
+ </ServiceGroup>
+ <ServiceGroup id="sg-Useful_ICMP" name="Useful_ICMP" comment=""
ro="False">
+ <ServiceRef ref="icmp-Time_exceeded"/>
+ <ServiceRef ref="icmp-Time_exceeded_in_transit"/>
+ <ServiceRef ref="icmp-ping_reply"/>
+ <ServiceRef ref="icmp-Unreachables"/>
+ </ServiceGroup>
+ <ServiceGroup id="id1569X4889" name="Ipv6 unreachable messages"
comment="" ro="False">
+ <ServiceRef ref="idE0D27650"/>
+ <ServiceRef ref="idCFE27650"/>
+ <ServiceRef ref="idE0B27650"/>
+ <ServiceRef ref="id1519Z388"/>
+ </ServiceGroup>
+ <ServiceGroup id="id3B4FEDD9" name="kerberos" comment="" ro="False">
+ <ServiceRef ref="id3B4FEDA5"/>
+ <ServiceRef ref="id3B4FEDA9"/>
+ <ServiceRef ref="id3B4FEDA7"/>
+ <ServiceRef ref="id3B4FEDAB"/>
+ <ServiceRef ref="id3B4FEDA3"/>
+ <ServiceRef ref="id3B4FEE21"/>
+ <ServiceRef ref="id3B4FEE23"/>
+ <ServiceRef ref="id3E7E3EA2"/>
+ </ServiceGroup>
+ <ServiceGroup id="id3B4FF35E" name="nfs" comment="" ro="False">
+ <ServiceRef ref="id3B4FEE7A"/>
+ <ServiceRef ref="id3B4FEE78"/>
+ </ServiceGroup>
+ <ServiceGroup id="id3B4FEFFA" name="quake" comment="" ro="False">
+ <ServiceRef ref="id3B4FEF7C"/>
+ <ServiceRef ref="id3B4FEF7E"/>
+ </ServiceGroup>
+ <ServiceGroup id="id3D703C9A" name="Real Player" comment="" ro="False">
+ <ServiceRef ref="id3D703C99"/>
+ <ServiceRef ref="id3D703C8B"/>
+ </ServiceGroup>
+ <ServiceGroup id="id3E7E3E95" name="WinNT" comment="" ro="False">
+ <ServiceRef ref="sg-NETBIOS"/>
+ <ServiceRef ref="id3DC8C8BB"/>
+ <ServiceRef ref="id3E7E3D58"/>
+ </ServiceGroup>
+ <ServiceGroup id="id3E7E3E9A" name="Win2000" comment="" ro="False">
+ <ServiceRef ref="id3E7E3E95"/>
+ <ServiceRef ref="udp-DNS"/>
+ <ServiceRef ref="id3DC8C8BC"/>
+ <ServiceRef ref="id3E7E3EA2"/>
+ <ServiceRef ref="id3AECF778"/>
+ <ServiceRef ref="id3D703C90"/>
+ <ServiceRef ref="id3E7E4039"/>
+ <ServiceRef ref="id3E7E403A"/>
+ <ServiceRef ref="id3B4FEDA5"/>
+ <ServiceRef ref="tcp-DNS"/>
+ </ServiceGroup>
+ <ServiceGroup id="id41291786" name="UPnP" comment="" ro="False">
+ <ServiceRef ref="id41291784"/>
+ <ServiceRef ref="id41291785"/>
+ <ServiceRef ref="id41291783"/>
+ <ServiceRef ref="id412Z18A9"/>
+ </ServiceGroup>
+ </ServiceGroup>
+ <ServiceGroup id="stdid07" name="ICMP" comment="" ro="False">
+ <ICMPService id="icmp-Unreachables" code="-1" type="3" name="all ICMP
unreachables" comment="" ro="False"/>
+ <ICMPService id="id3C20EEB5" code="-1" type="-1" name="any ICMP"
comment="" ro="False"/>
+ <ICMPService id="icmp-Host_unreach" code="1" type="3"
name="host_unreach" comment="" ro="False"/>
+ <ICMPService id="icmp-ping_reply" code="0" type="0" name="ping reply"
comment="" ro="False"/>
+ <ICMPService id="icmp-ping_request" code="0" type="8" name="ping
request" comment="" ro="False"/>
+ <ICMPService id="icmp-Port_unreach" code="3" type="3" name="port
unreach" comment="Port unreachable" ro="False"/>
+ <ICMPService id="icmp-Time_exceeded" code="0" type="11" name="time
exceeded" comment="ICMP messages of this type are needed for traceroute"
ro="False"/>
+ <ICMPService id="icmp-Time_exceeded_in_transit" code="1" type="11"
name="time exceeded in transit" comment="" ro="False"/>
+ <ICMP6Service id="ipv6-icmp-ping_request" code="0" type="128"
name="ipv6 ping request" comment="IPv6 ping request" ro="False"/>
+ <ICMP6Service id="ipv6-icmp-ping_reply" code="0" type="129" name="ipv6
ping reply" comment="IPv6 ping reply" ro="False"/>
+ <ICMP6Service id="ipv6-icmp-routersol" code="0" type="133" name="ipv6
routersol" comment="IPv6 router solicitation" ro="False"/>
+ <ICMP6Service id="ipv6-icmp-routeradv" code="0" type="134" name="ipv6
routeradv" comment="IPv6 router advertisement" ro="False"/>
+ <ICMP6Service id="ipv6-icmp-neighbrsol" code="0" type="135" name="ipv6
neighbrsol" comment="IPv6 neighbor solicitation" ro="False"/>
+ <ICMP6Service id="ipv6-icmp-neighbradv" code="0" type="136" name="ipv6
neighbradv" comment="IPv6 neighbor advertisement" ro="False"/>
+ <ICMP6Service id="ipv6-icmp-redir" code="0" type="137" name="ipv6
redir" comment="IPv6 redirect: shorter route exists" ro="False"/>
+ <ICMP6Service id="id1519Z388" code="-1" type="4" name="ipv6 parameter
problem" comment="IPv6 Parameter Problem: RFC4443" ro="False"/>
+ <ICMP6Service id="idCFE27650" code="0" type="3" name="ipv6 time
exceeded" comment="Time exceeded in transit" ro="False"/>
+ <ICMP6Service id="idCFF27650" code="1" type="3" name="ipv6 time
exceeded in reassembly" comment="Time exceeded in reassembly" ro="False"/>
+ <ICMP6Service id="idE0B27650" code="-1" type="2" name="ipv6 packet too
big" comment="" ro="False"/>
+ <ICMP6Service id="idE0D27650" code="-1" type="1" name="ipv6 all dest
unreachable" comment="All icmpv6 codes for type "destination
unreachable" " ro="False"/>
+ <ICMP6Service id="idCFE27660" code="-1" type="-1" name="ipv6 any
ICMP6" comment="any ICMPv6" ro="False"/>
+ </ServiceGroup>
+ <ServiceGroup id="stdid06" name="IP" comment="" ro="False">
+ <IPService id="id3CB12797" fragm="False" lsrr="False"
protocol_num="51" rr="False" short_fragm="False" ssrr="False" ts="False"
name="AH" comment="IPSEC Authentication Header Protocol" ro="False"/>
+ <IPService id="ip-IPSEC" fragm="False" lsrr="False" protocol_num="50"
rr="False" short_fragm="False" ssrr="False" ts="False" name="ESP"
comment="IPSEC Encapsulating Security Payload Protocol" ro="False"/>
+ <IPService id="ip-RR" fragm="False" lsrr="False" protocol_num="0"
rr="True" short_fragm="False" ssrr="False" ts="False" name="RR" comment="Route
recording packets" ro="False"/>
+ <IPService id="ip-SRR" fragm="False" lsrr="True" protocol_num="0"
rr="False" short_fragm="False" ssrr="True" ts="False" name="SRR" comment="All
sorts of Source Routing Packets" ro="False"/>
+ <IPService id="ip-IP_Fragments" fragm="False" lsrr="False"
protocol_num="0" rr="False" short_fragm="True" ssrr="False" ts="False"
name="ip_fragments" comment="'Short' fragments" ro="False"/>
+ <IPService id="id3D703C8E" fragm="False" lsrr="False"
protocol_num="57" rr="False" short_fragm="False" ssrr="False" ts="False"
name="SKIP" comment="IPSEC Simple Key Management for Internet Protocols"
ro="False"/>
+ <IPService id="id3D703C8F" fragm="False" lsrr="False"
protocol_num="47" rr="False" short_fragm="False" ssrr="False" ts="False"
name="GRE" comment="Generic Routing Encapsulation " ro="False"/>
+ <IPService id="id3D703C95" fragm="False" lsrr="False"
protocol_num="112" rr="False" short_fragm="False" ssrr="False" ts="False"
name="vrrp" comment="Virtual Router Redundancy Protocol" ro="False"/>
+ <IPService id="ip-IGMP" fragm="False" lsrr="False" protocol_num="2"
rr="False" rtralt="True" rtralt_value="0" short_fragm="False" ssrr="False"
ts="False" name="IGMP" comment="Internet Group Management Protocol, Version 3,
RFC 3376" ro="False"/>
+ <IPService id="ip-PIM" fragm="False" lsrr="False" protocol_num="103"
rr="False" rtralt="False" rtralt_value="0" short_fragm="False" ssrr="False"
ts="False" name="PIM" comment="Protocol Independent Multicast - Dense Mode
(PIM-DM), RFC 3973, or Protocol Independent Multicast-Sparse Mode (PIM-SM) RFC
2362" ro="False"/>
+ </ServiceGroup>
+ <ServiceGroup id="stdid09" name="TCP" comment="" ro="False">
+ <TCPService id="tcp-ALL_TCP_Masqueraded" ack_flag="False"
ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False"
psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False"
syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ALL TCP
Masqueraded" comment="ipchains used to use this range of port numbers for
masquerading. " ro="False" src_range_start="61000" src_range_end="65095"
dst_range_start="0" dst_range_end="0"/>
+ <TCPService id="id3D703C94" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="AOL" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="5190"
dst_range_end="5190"/>
+ <TCPService id="tcp-All_TCP" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="All TCP" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
+ <TCPService id="id3CB131C4" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="Citrix-ICA" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="1494"
dst_range_end="1494"/>
+ <TCPService id="id3D703C91" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="Entrust-Admin" comment="Entrust CA
Administration Service" ro="False" src_range_start="0" src_range_end="0"
dst_range_start="709" dst_range_end="709"/>
+ <TCPService id="id3D703C92" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="Entrust-KeyMgmt" comment="Entrust
CA Key Management Service" ro="False" src_range_start="0" src_range_end="0"
dst_range_start="710" dst_range_end="710"/>
+ <TCPService id="id3AEDBEAC" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="H323" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="1720"
dst_range_end="1720"/>
+ <TCPService id="id412Z18A9" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="icslap" comment="Sometimes this
protocol is called icslap, but Microsoft does not call it that and just says
that DSPP uses port 2869 in Windows XP SP2" ro="False" src_range_start="0"
src_range_end="0" dst_range_start="2869" dst_range_end="2869"/>
+ <TCPService id="id3E7E4039" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="LDAP GC" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="3268"
dst_range_end="3268"/>
+ <TCPService id="id3E7E403A" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="LDAP GC SSL" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="3269"
dst_range_end="3269"/>
+ <TCPService id="id3D703C83" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="OpenWindows" comment="Open
Windows" ro="False" src_range_start="0" src_range_end="0"
dst_range_start="2000" dst_range_end="2000"/>
+ <TCPService id="id3CB131C8" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="PCAnywhere-data" comment="data
channel for PCAnywhere v7.52 and later " ro="False" src_range_start="0"
src_range_end="0" dst_range_start="5631" dst_range_end="5631"/>
+ <TCPService id="id3D703C8B" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="Real-Audio" comment="RealNetworks
PNA Protocol" ro="False" src_range_start="0" src_range_end="0"
dst_range_start="7070" dst_range_end="7070"/>
+ <TCPService id="id3D703C93" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="RealSecure" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="2998"
dst_range_end="2998"/>
+ <TCPService id="id3DC8C8BC" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="SMB" comment="SMB over TCP
(without NETBIOS) " ro="False" src_range_start="0" src_range_end="0"
dst_range_start="445" dst_range_end="445"/>
+ <TCPService id="id3D703C8D" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="TACACSplus" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="49" dst_range_end="49"/>
+ <TCPService id="id3D703C84" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="TCP high ports" comment="TCP high
ports" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1024"
dst_range_end="65535"/>
+ <TCPService id="id3E7E3D58" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="WINS replication" comment=""
ro="False" src_range_start="0" src_range_end="0" dst_range_start="42"
dst_range_end="42"/>
+ <TCPService id="id3D703C82" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="X11" comment="X Window System"
ro="False" src_range_start="0" src_range_end="0" dst_range_start="6000"
dst_range_end="6063"/>
+ <TCPService id="tcp-Auth" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="auth" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="113"
dst_range_end="113"/>
+ <TCPService id="id3AEDBE6E" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="daytime" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="13" dst_range_end="13"/>
+ <TCPService id="tcp-DNS" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="domain" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="53" dst_range_end="53"/>
+ <TCPService id="id3B4FEDA3" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="eklogin" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="2105"
dst_range_end="2105"/>
+ <TCPService id="id3AECF774" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="finger" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="79" dst_range_end="79"/>
+ <TCPService id="tcp-FTP" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="ftp" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="21" dst_range_end="21"/>
+ <TCPService id="tcp-FTP_data" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="ftp data" comment="FTP data
channel. Note: FTP protocol does not really require server to use source
port 20 for the data channel, but many ftp server implementations do
so." ro="False" src_range_start="20" src_range_end="20" dst_range_start="1024"
dst_range_end="65535"/>
+ <TCPService id="id3E7553BC" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="ftp data passive" comment="FTP
data channel for passive mode transfers " ro="False" src_range_start="0"
src_range_end="0" dst_range_start="20" dst_range_end="20"/>
+ <TCPService id="tcp-HTTP" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="http" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="80" dst_range_end="80"/>
+ <TCPService id="id3B4FED69" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="https" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="443"
dst_range_end="443"/>
+ <TCPService id="id3AECF776" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="imap" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="143"
dst_range_end="143"/>
+ <TCPService id="id3B4FED9F" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="imaps" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="993"
dst_range_end="993"/>
+ <TCPService id="id3B4FF13C" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="irc" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="6667"
dst_range_end="6667"/>
+ <TCPService id="id3E7E3EA2" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="kerberos" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="88" dst_range_end="88"/>
+ <TCPService id="id3B4FEE21" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="klogin" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="543"
dst_range_end="543"/>
+ <TCPService id="id3B4FEE23" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="ksh" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="544"
dst_range_end="544"/>
+ <TCPService id="id3AECF778" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="ldap" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="389"
dst_range_end="389"/>
+ <TCPService id="id3D703C90" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="ldaps" comment="Lightweight
Directory Access Protocol over TLS/SSL" ro="False" src_range_start="0"
src_range_end="0" dst_range_start="636" dst_range_end="636"/>
+ <TCPService id="id3B4FF000" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="linuxconf" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="98" dst_range_end="98"/>
+ <TCPService id="id3D703C97" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="lpr" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="515"
dst_range_end="515"/>
+ <TCPService id="id3DC8C8BB" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="microsoft-rpc" comment=""
ro="False" src_range_start="0" src_range_end="0" dst_range_start="135"
dst_range_end="135"/>
+ <TCPService id="id3D703C98" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="ms-sql" comment="Microsoft SQL
Server" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1433"
dst_range_end="1433"/>
+ <TCPService id="id3B4FEEEE" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="mysql" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="3306"
dst_range_end="3306"/>
+ <TCPService id="id3E755609" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="netbios-ssn" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="139"
dst_range_end="139"/>
+ <TCPService id="id3B4FEE7A" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="nfs" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="2049"
dst_range_end="2049"/>
+ <TCPService id="tcp-NNTP" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="nntp" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="119"
dst_range_end="119"/>
+ <TCPService id="id3E7553BB" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="nntps" comment="NNTP over SSL"
ro="False" src_range_start="0" src_range_end="0" dst_range_start="563"
dst_range_end="563"/>
+ <TCPService id="id3B4FEE1D" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="pop3" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="110"
dst_range_end="110"/>
+ <TCPService id="id3E7553BA" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="pop3s" comment="POP-3 over SSL"
ro="False" src_range_start="0" src_range_end="0" dst_range_start="995"
dst_range_end="995"/>
+ <TCPService id="id3B4FF0EA" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="postgres" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="5432"
dst_range_end="5432"/>
+ <TCPService id="id3AECF782" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="printer" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="515"
dst_range_end="515"/>
+ <TCPService id="id3B4FEF7C" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="quake" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="26000"
dst_range_end="26000"/>
+ <TCPService id="id3AECF77A" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="rexec" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="512"
dst_range_end="512"/>
+ <TCPService id="id3AECF77C" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="rlogin" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="513"
dst_range_end="513"/>
+ <TCPService id="id3AECF77E" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="rshell" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="514"
dst_range_end="514"/>
+ <TCPService id="id3D703C99" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="rtsp" comment="Real Time Streaming
Protocol" ro="False" src_range_start="0" src_range_end="0"
dst_range_start="554" dst_range_end="554"/>
+ <TCPService id="id3B4FEF34" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="rwhois" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="4321"
dst_range_end="4321"/>
+ <TCPService id="id3D703C89" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="securidprop" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="5510"
dst_range_end="5510"/>
+ <TCPService id="tcp-SMTP" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="smtp" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="25" dst_range_end="25"/>
+ <TCPService id="id3B4FF04C" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="smtps" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="465"
dst_range_end="465"/>
+ <TCPService id="id3B4FEE76" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="socks" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="1080"
dst_range_end="1080"/>
+ <TCPService id="id3D703C87" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="sqlnet1" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="1521"
dst_range_end="1521"/>
+ <TCPService id="id3B4FF09A" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="squid" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="3128"
dst_range_end="3128"/>
+ <TCPService id="tcp-SSH" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="ssh" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="22" dst_range_end="22"/>
+ <TCPService id="id3AEDBE00" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="sunrpc" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="111"
dst_range_end="111"/>
+ <TCPService id="tcp-TCP-SYN" ack_flag="False" ack_flag_mask="True"
fin_flag="False" fin_flag_mask="True" psh_flag="False" psh_flag_mask="True"
rst_flag="False" rst_flag_mask="True" syn_flag="True" syn_flag_mask="True"
urg_flag="False" urg_flag_mask="True" name="tcp-syn" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
+ <TCPService id="tcp-Telnet" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="telnet" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="23" dst_range_end="23"/>
+ <TCPService id="tcp-uucp" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="uucp" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="540"
dst_range_end="540"/>
+ <TCPService id="id3CB131C6" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="winterm" comment="Windows Terminal
Services" ro="False" src_range_start="0" src_range_end="0"
dst_range_start="3389" dst_range_end="3389"/>
+ <TCPService id="id3B4FF1B8" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="xfs" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="7100"
dst_range_end="7100"/>
+ <TCPService id="id3C685B2B" ack_flag="True" ack_flag_mask="True"
fin_flag="True" fin_flag_mask="True" psh_flag="True" psh_flag_mask="True"
rst_flag="True" rst_flag_mask="True" syn_flag="True" syn_flag_mask="True"
urg_flag="True" urg_flag_mask="True" name="xmas scan - full" comment="This
service object matches TCP packet with all six flags set." ro="False"
src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
+ <TCPService id="id4127E949" ack_flag="False" ack_flag_mask="True"
fin_flag="True" fin_flag_mask="True" psh_flag="True" psh_flag_mask="True"
rst_flag="False" rst_flag_mask="True" syn_flag="False" syn_flag_mask="True"
urg_flag="True" urg_flag_mask="True" name="xmas scan" comment="This service
object matches TCP packet with flags FIN, PSH and URG set and other flags
cleared. This is a "christmas scan" as defined in snort rules. Nmap
can generate this scan, too." ro="False" src_range_start="0" src_range_end="0"
dst_range_start="0" dst_range_end="0"/>
+ <TCPService id="id4127EA72" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="rsync" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="873"
dst_range_end="873"/>
+ <TCPService id="id4127EBAC" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="distcc" comment="distributed
compiler" ro="False" src_range_start="0" src_range_end="0"
dst_range_start="3632" dst_range_end="3632"/>
+ <TCPService id="id4127ECF1" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="cvspserver" comment="CVS
client/server operations" ro="False" src_range_start="0" src_range_end="0"
dst_range_start="2401" dst_range_end="2401"/>
+ <TCPService id="id4127ECF2" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="cvsup" comment="CVSup file
transfer/John Polstra/FreeBSD" ro="False" src_range_start="0" src_range_end="0"
dst_range_start="5999" dst_range_end="5999"/>
+ <TCPService id="id4127ED5E" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="afp" comment="AFP (Apple file
sharing) over TCP" ro="False" src_range_start="0" src_range_end="0"
dst_range_start="548" dst_range_end="548"/>
+ <TCPService id="id4127EDF6" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="whois" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="43" dst_range_end="43"/>
+ <TCPService id="id4127F04F" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="bgp" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="179"
dst_range_end="179"/>
+ <TCPService id="id4127F146" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="radius" comment="Radius protocol"
ro="False" src_range_start="0" src_range_end="0" dst_range_start="1812"
dst_range_end="1812"/>
+ <TCPService id="id4127F147" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="radius acct" comment="Radius
Accounting" ro="False" src_range_start="0" src_range_end="0"
dst_range_start="1813" dst_range_end="1813"/>
+ <TCPService id="id41291784" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="upnp" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="5000"
dst_range_end="5000"/>
+ <TCPService id="id41291785" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="upnp-5431" comment="Although UPnP
specification say it should use TCP port 5000, Linksys running Sveasoft
firmware listens on port 5431" ro="False" src_range_start="0" src_range_end="0"
dst_range_start="5431" dst_range_end="5431"/>
+ <TCPService id="id41291787" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="vnc-java-0" comment="Java VNC
viewer, display 0" ro="False" src_range_start="0" src_range_end="0"
dst_range_start="5800" dst_range_end="5800"/>
+ <TCPService id="id41291788" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="vnc-0" comment="Regular VNC
viewer, display 0" ro="False" src_range_start="0" src_range_end="0"
dst_range_start="5900" dst_range_end="5900"/>
+ <TCPService id="id41291887" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="vnc-java-1" comment="Java VNC
viewer, display 1" ro="False" src_range_start="0" src_range_end="0"
dst_range_start="5801" dst_range_end="5801"/>
+ <TCPService id="id41291888" ack_flag="False" ack_flag_mask="False"
fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False"
rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False"
urg_flag="False" urg_flag_mask="False" name="vnc-1" comment="Regular VNC
viewer, display 1" ro="False" src_range_start="0" src_range_end="0"
dst_range_start="5901" dst_range_end="5901"/>
+ <TCPService id="id463FE5FE11008" ack_flag="False"
ack_flag_mask="False" established="True" fin_flag="False" fin_flag_mask="False"
psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False"
syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"
name="All TCP established" comment="Some firewall platforms can match TCP
packets with flags ACK or RST set; the option is usually called
"established". Note that you can use this object only in the
policy rules of the firewall that supports this option. If you need to
match reply packets for a specific TCP service and wish to use option
"established", make a copy of this object and set source port range
to match the service. " ro="False" src_range_start="0" src_range_end="0"
dst_range_start="0" dst_range_end="0"/>
+ <TCPService id="id1577X28030" ack_flag="False" ack_flag_mask="False"
established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False"
psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False"
syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="rtmp"
comment="Real Time Messaging Protocol" ro="False" src_range_start="0"
src_range_end="0" dst_range_start="1935" dst_range_end="1935"/>
+ <TCPService id="id1590X28030" ack_flag="False" ack_flag_mask="False"
established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False"
psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False"
syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="xmpp-client"
comment="Extensible Messaging and Presence Protocol (XMPP) RFC3920 "
ro="False" src_range_start="0" src_range_end="0" dst_range_start="5222"
dst_range_end="5222"/>
+ <TCPService id="id1609X28030" ack_flag="False" ack_flag_mask="False"
established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False"
psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False"
syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="xmpp-server"
comment="Extensible Messaging and Presence Protocol (XMPP) RFC3920 "
ro="False" src_range_start="0" src_range_end="0" dst_range_start="5269"
dst_range_end="5269"/>
+ <TCPService id="id1622X28030" ack_flag="False" ack_flag_mask="False"
established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False"
psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False"
syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"
name="xmpp-client-ssl" comment="Extensible Messaging and Presence Protocol
(XMPP) RFC3920 " ro="False" src_range_start="0" src_range_end="0"
dst_range_start="5223" dst_range_end="5223"/>
+ <TCPService id="id1631X28030" ack_flag="False" ack_flag_mask="False"
established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False"
psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False"
syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"
name="xmpp-server-ssl" comment="Extensible Messaging and Presence Protocol
(XMPP) RFC3920 " ro="False" src_range_start="0" src_range_end="0"
dst_range_start="5270" dst_range_end="5270"/>
+ <TCPService id="id1644X28030" ack_flag="False" ack_flag_mask="False"
established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False"
psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False"
syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="nrpe"
comment="NRPE add-on for Nagios http://www.nagios.org/ "; ro="False"
src_range_start="0" src_range_end="0" dst_range_start="5666"
dst_range_end="5666"/>
+ </ServiceGroup>
+ <ServiceGroup id="stdid08" name="UDP" comment="" ro="False">
+ <UDPService id="udp-ALL_UDP_Masqueraded" name="ALL UDP Masqueraded"
comment="ipchains used to use this port range for masqueraded packets"
ro="False" src_range_start="61000" src_range_end="65095" dst_range_start="0"
dst_range_end="0"/>
+ <UDPService id="udp-All_UDP" name="All UDP" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
+ <UDPService id="id3D703C96" name="ICQ" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="4000"
dst_range_end="4000"/>
+ <UDPService id="id3CB129D2" name="IKE" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="500"
dst_range_end="500"/>
+ <UDPService id="id3CB131CA" name="PCAnywhere-status" comment="status
channel for PCAnywhere v7.52 and later" ro="False" src_range_start="0"
src_range_end="0" dst_range_start="5632" dst_range_end="5632"/>
+ <UDPService id="id3AED0D6B" name="RIP" comment="routing protocol RIP"
ro="False" src_range_start="0" src_range_end="0" dst_range_start="520"
dst_range_end="520"/>
+ <UDPService id="id3D703C8C" name="Radius" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="1645"
dst_range_end="1645"/>
+ <UDPService id="id3D703C85" name="UDP high ports" comment=""
ro="False" src_range_start="0" src_range_end="0" dst_range_start="1024"
dst_range_end="65535"/>
+ <UDPService id="id3D703C86" name="Who" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="513"
dst_range_end="513"/>
+ <UDPService id="id3B4FEDA1" name="afs" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="7000"
dst_range_end="7009"/>
+ <UDPService id="udp-bootpc" name="bootpc" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="68" dst_range_end="68"/>
+ <UDPService id="udp-bootps" name="bootps" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="67" dst_range_end="67"/>
+ <UDPService id="id3AEDBE70" name="daytime" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="13" dst_range_end="13"/>
+ <UDPService id="udp-DNS" name="domain" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="53" dst_range_end="53"/>
+ <UDPService id="id3D703C8A" name="interphone" comment="VocalTec
Internet Phone" ro="False" src_range_start="0" src_range_end="0"
dst_range_start="22555" dst_range_end="22555"/>
+ <UDPService id="id3B4FEDA5" name="kerberos" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="88" dst_range_end="88"/>
+ <UDPService id="id3B4FEDA9" name="kerberos-adm" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="749"
dst_range_end="750"/>
+ <UDPService id="id3B4FEDA7" name="kpasswd" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="464"
dst_range_end="464"/>
+ <UDPService id="id3B4FEDAB" name="krb524" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="4444"
dst_range_end="4444"/>
+ <UDPService id="id3F865B0D" name="microsoft-rpc" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="135"
dst_range_end="135"/>
+ <UDPService id="udp-netbios-dgm" name="netbios-dgm" comment=""
ro="False" src_range_start="0" src_range_end="0" dst_range_start="138"
dst_range_end="138"/>
+ <UDPService id="udp-netbios-ns" name="netbios-ns" comment=""
ro="False" src_range_start="0" src_range_end="0" dst_range_start="137"
dst_range_end="137"/>
+ <UDPService id="udp-netbios-ssn" name="netbios-ssn" comment=""
ro="False" src_range_start="0" src_range_end="0" dst_range_start="139"
dst_range_end="139"/>
+ <UDPService id="id3B4FEE78" name="nfs" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="2049"
dst_range_end="2049"/>
+ <UDPService id="udp-ntp" name="ntp" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="123"
dst_range_end="123"/>
+ <UDPService id="id3B4FEF7E" name="quake" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="26000"
dst_range_end="26000"/>
+ <UDPService id="id3D703C88" name="secureid-udp" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="1024"
dst_range_end="1024"/>
+ <UDPService id="udp-SNMP" name="snmp" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="161"
dst_range_end="161"/>
+ <UDPService id="id3AED0D69" name="snmp-trap" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="162"
dst_range_end="162"/>
+ <UDPService id="id3AEDBE19" name="sunrpc" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="111"
dst_range_end="111"/>
+ <UDPService id="id3AECF780" name="syslog" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="514"
dst_range_end="514"/>
+ <UDPService id="id3AED0D67" name="tftp" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="69" dst_range_end="69"/>
+ <UDPService id="id3AED0D8C" name="traceroute" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="33434"
dst_range_end="33524"/>
+ <UDPService id="id4127EA73" name="rsync" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="873"
dst_range_end="873"/>
+ <UDPService id="id41291783" name="SSDP" comment="Simple Service
Discovery Protocol (used for UPnP)" ro="False" src_range_start="0"
src_range_end="0" dst_range_start="1900" dst_range_end="1900"/>
+ <UDPService id="id41291883" name="OpenVPN" comment="" ro="False"
src_range_start="0" src_range_end="0" dst_range_start="1194"
dst_range_end="1194"/>
+ </ServiceGroup>
+ <ServiceGroup id="stdid13" name="Custom" comment="" ro="False">
+ <CustomService id="id3B64EEA8" name="rpc" comment="works in iptables
and requires patch-o-matic. For more information look for patch-o-matic on
http://www.netfilter.org/"; ro="False" protocol="any" address_family="ipv4">
+ <CustomServiceCommand platform="Undefined"/>
+ <CustomServiceCommand platform="ipf"/>
+ <CustomServiceCommand platform="ipfilter"/>
+ <CustomServiceCommand platform="ipfw"/>
+ <CustomServiceCommand platform="iptables">-m
record_rpc</CustomServiceCommand>
+ <CustomServiceCommand platform="pf"/>
+ <CustomServiceCommand platform="pix"/>
+ <CustomServiceCommand platform="unknown"/>
+ </CustomService>
+ <CustomService id="id3B64EF4E" name="irc-conn" comment="IRC connection
tracker, supports DCC. Works on iptables and requires
patch-o-matic. For more information look for patch-o-matic on
http://www.netfilter.org/ "; ro="False" protocol="any" address_family="ipv4">
+ <CustomServiceCommand platform="Undefined"/>
+ <CustomServiceCommand platform="ipf"/>
+ <CustomServiceCommand platform="ipfilter"/>
+ <CustomServiceCommand platform="ipfw"/>
+ <CustomServiceCommand platform="iptables">-m
irc</CustomServiceCommand>
+ <CustomServiceCommand platform="pf"/>
+ <CustomServiceCommand platform="pix"/>
+ <CustomServiceCommand platform="unknown"/>
+ </CustomService>
+ <CustomService id="id3B64EF50" name="psd" comment="Port scan detector,
works only on iptables and requires patch-o-matic For more information
look for patch-o-matic on http://www.netfilter.org/"; ro="False" protocol="any"
address_family="ipv4">
+ <CustomServiceCommand platform="Undefined"/>
+ <CustomServiceCommand platform="ipf"/>
+ <CustomServiceCommand platform="ipfilter"/>
+ <CustomServiceCommand platform="ipfw"/>
+ <CustomServiceCommand platform="iptables">-m psd
--psd-weight-threshold 5 --psd-delay-threshold 10000</CustomServiceCommand>
+ <CustomServiceCommand platform="pf"/>
+ <CustomServiceCommand platform="pix"/>
+ <CustomServiceCommand platform="unknown"/>
+ </CustomService>
+ <CustomService id="id3B64EF52" name="string" comment="Matches a string
in a whole packet, works in iptables and requires patch-o-matic. For more
information look for patch-o-matic on http://www.netfilter.org/"; ro="False"
protocol="any" address_family="ipv4">
+ <CustomServiceCommand platform="Undefined"/>
+ <CustomServiceCommand platform="ipf"/>
+ <CustomServiceCommand platform="ipfilter"/>
+ <CustomServiceCommand platform="ipfw"/>
+ <CustomServiceCommand platform="iptables">-m string --string
test_pattern</CustomServiceCommand>
+ <CustomServiceCommand platform="pf"/>
+ <CustomServiceCommand platform="pix"/>
+ <CustomServiceCommand platform="unknown"/>
+ </CustomService>
+ <CustomService id="id3B64EF54" name="talk" comment="Talk protocol
support. Works in iptables and requires patch-o-matic. For more information
look for patch-o-matic on http://www.netfilter.org/"; ro="False" protocol="any"
address_family="ipv4">
+ <CustomServiceCommand platform="Undefined"/>
+ <CustomServiceCommand platform="ipf"/>
+ <CustomServiceCommand platform="ipfilter"/>
+ <CustomServiceCommand platform="ipfw"/>
+ <CustomServiceCommand platform="iptables">-m
talk</CustomServiceCommand>
+ <CustomServiceCommand platform="pf"/>
+ <CustomServiceCommand platform="pix"/>
+ <CustomServiceCommand platform="unknown"/>
+ </CustomService>
+ <CustomService id="id3B6CEB55" name="Fragment Small Offset IPv4 UDP"
comment="Only implemented for Junos ACL." ro="False" protocol="udp"
address_family="ipv4">
+ <CustomServiceCommand platform="fwsm"/>
+ <CustomServiceCommand platform="iosacl"/>
+ <CustomServiceCommand platform="ipf"/>
+ <CustomServiceCommand platform="ipfw"/>
+ <CustomServiceCommand platform="iptables"/>
+ <CustomServiceCommand platform="junosacl">fragment-offset
1-5</CustomServiceCommand>
+ <CustomServiceCommand platform="nxosacl"/>
+ <CustomServiceCommand platform="pf"/>
+ <CustomServiceCommand platform="pix"/>
+ <CustomServiceCommand platform="procurve_acl"/>
+ <CustomServiceCommand platform="unknown"/>
+ </CustomService>
+ <CustomService id="id3B6CEB56" name="Fragment IPv6 UDP" comment="Only
implemented for Junos ACL." ro="False" protocol="fragment"
address_family="ipv6">
+ <CustomServiceCommand platform="fwsm"/>
+ <CustomServiceCommand platform="iosacl"/>
+ <CustomServiceCommand platform="ipf"/>
+ <CustomServiceCommand platform="ipfw"/>
+ <CustomServiceCommand platform="iptables"/>
+ <CustomServiceCommand platform="junosacl">payload-protocol
udp</CustomServiceCommand>
+ <CustomServiceCommand platform="nxosacl"/>
+ <CustomServiceCommand platform="pf"/>
+ <CustomServiceCommand platform="pix"/>
+ <CustomServiceCommand platform="procurve_acl"/>
+ <CustomServiceCommand platform="unknown"/>
+ </CustomService>
+ <CustomService id="id3B6CEB57" name="Fragment IPv4 UDP" comment="Only
implemented for Junos ACL." ro="False" protocol="udp" address_family="ipv4">
+ <CustomServiceCommand platform="fwsm"/>
+ <CustomServiceCommand platform="iosacl"/>
+ <CustomServiceCommand platform="ipf"/>
+ <CustomServiceCommand platform="ipfw"/>
+ <CustomServiceCommand platform="iptables"/>
+ <CustomServiceCommand platform="junosacl">fragment-offset
6-8191</CustomServiceCommand>
+ <CustomServiceCommand platform="nxosacl"/>
+ <CustomServiceCommand platform="pf"/>
+ <CustomServiceCommand platform="pix"/>
+ <CustomServiceCommand platform="procurve_acl"/>
+ <CustomServiceCommand platform="unknown"/>
+ </CustomService>
+ </ServiceGroup>
+ <ServiceGroup id="stdid19" name="TagServices" comment="" ro="False"/>
+ <ServiceGroup id="stdid20" name="UserServices" comment="" ro="False"/>
+ </ServiceGroup>
+ <ObjectGroup id="stdid12" name="Firewalls" comment="" ro="False"/>
+ <ObjectGroup id="stdid21" name="Clusters" comment="" ro="False"/>
+ <IntervalGroup id="stdid11" name="Time" comment="" ro="False">
+ <Interval id="int-workhours" days_of_week="1,2,3,4,5" from_day="-1"
from_hour="9" from_minute="0" from_month="-1" from_weekday="1" from_year="-1"
to_day="-1" to_hour="17" to_minute="0" to_month="-1" to_weekday="5"
to_year="-1" name="workhours" comment="any day, 9:00am through 5:00pm"
ro="False"/>
+ <Interval id="int-weekends" days_of_week="6,0" from_day="-1"
from_hour="0" from_minute="0" from_month="-1" from_weekday="6" from_year="-1"
to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="0"
to_year="-1" name="weekends" comment="weekends: Saturday 0:00 through Sunday
23:59 " ro="False"/>
+ <Interval id="int-afterhours" days_of_week="0,1,2,3,4,5,6" from_day="-1"
from_hour="18" from_minute="0" from_month="-1" from_weekday="-1" from_year="-1"
to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="-1"
to_year="-1" name="afterhours" comment="any day 6:00pm - 12:00am" ro="False"/>
+ <Interval id="id3C63479C" days_of_week="6" from_day="-1" from_hour="0"
from_minute="0" from_month="-1" from_weekday="6" from_year="-1" to_day="-1"
to_hour="23" to_minute="59" to_month="-1" to_weekday="6" to_year="-1"
name="Sat" comment="" ro="False"/>
+ <Interval id="id3C63479E" days_of_week="0" from_day="-1" from_hour="0"
from_minute="0" from_month="-1" from_weekday="0" from_year="-1" to_day="-1"
to_hour="23" to_minute="59" to_month="-1" to_weekday="0" to_year="-1"
name="Sun" comment="" ro="False"/>
+ </IntervalGroup>
+ </Library>
+ <Library id="sysid99" name="Deleted Objects" comment="" ro="False"/>
+ <Library id="id1592X4142577" color="#d2ffd0" name="User" comment=""
ro="False">
+ <ObjectGroup id="id1593X4142577" name="Objects" comment="" ro="False">
+ <ObjectGroup id="id1594X4142577" name="Addresses" comment="" ro="False"/>
+ <ObjectGroup id="id1595X4142577" name="DNS Names" comment="" ro="False"/>
+ <ObjectGroup id="id1596X4142577" name="Address Tables" comment=""
ro="False"/>
+ <ObjectGroup id="id1597X4142577" name="Groups" comment="" ro="False"/>
+ <ObjectGroup id="id1598X4142577" name="Hosts" comment="" ro="False"/>
+ <ObjectGroup id="id1599X4142577" name="Networks" comment="" ro="False"/>
+ <ObjectGroup id="id1600X4142577" name="Address Ranges" comment=""
ro="False"/>
+ </ObjectGroup>
+ <ServiceGroup id="id1601X4142577" name="Services" comment="" ro="False">
+ <ServiceGroup id="id1602X4142577" name="Groups" comment="" ro="False"/>
+ <ServiceGroup id="id1603X4142577" name="ICMP" comment="" ro="False"/>
+ <ServiceGroup id="id1604X4142577" name="IP" comment="" ro="False"/>
+ <ServiceGroup id="id1605X4142577" name="TCP" comment="" ro="False"/>
+ <ServiceGroup id="id1606X4142577" name="UDP" comment="" ro="False"/>
+ <ServiceGroup id="id1607X4142577" name="Users" comment="" ro="False"/>
+ <ServiceGroup id="id1608X4142577" name="Custom" comment="" ro="False"/>
+ <ServiceGroup id="id1609X4142577" name="TagServices" comment=""
ro="False"/>
+ </ServiceGroup>
+ <ObjectGroup id="id1610X4142577" name="Firewalls" comment="" ro="False">
+ <Firewall id="id4464X4142577" host_OS="linux24"
lastCompiled="1625337581" lastInstalled="0" lastModified="1625337497"
platform="iptables" version="" name="demeter" comment="This is an example of a
firewall protecting a host ( a server or a workstation). Only SSH access to the
host is permitted. Host has dynamic address." ro="False">
+ <NAT id="id4482X4142577" name="NAT" comment="" ro="False"
ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
+ <RuleSetOptions/>
+ </NAT>
+ <Policy id="id4485X4142577" name="Policy" comment="" ro="False"
ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
+ <PolicyRule id="id4487X4142577" disabled="False" group="" log="True"
position="0" action="Deny" direction="Inbound" comment="anti spoofing rule">
+ <Src neg="False">
+ <ObjectRef ref="id4464X4142577"/>
+ </Src>
+ <Dst neg="False">
+ <ObjectRef ref="sysid0"/>
+ </Dst>
+ <Srv neg="False">
+ <ServiceRef ref="sysid1"/>
+ </Srv>
+ <Itf neg="False">
+ <ObjectRef ref="id4472X4142577"/>
+ </Itf>
+ <When neg="False">
+ <IntervalRef ref="sysid2"/>
+ </When>
+ <PolicyRuleOptions/>
+ </PolicyRule>
+ <PolicyRule id="id4515X4142577" disabled="False" group=""
log="False" position="1" action="Accept" direction="Both" comment="">
+ <Src neg="False">
+ <ObjectRef ref="sysid0"/>
+ </Src>
+ <Dst neg="False">
+ <ObjectRef ref="sysid0"/>
+ </Dst>
+ <Srv neg="False">
+ <ServiceRef ref="sysid1"/>
+ </Srv>
+ <Itf neg="False">
+ <ObjectRef ref="id4474X4142577"/>
+ </Itf>
+ <When neg="False">
+ <IntervalRef ref="sysid2"/>
+ </When>
+ <PolicyRuleOptions/>
+ </PolicyRule>
+ <PolicyRule id="id4543X4142577" disabled="False" group=""
log="False" position="2" action="Accept" direction="Both" comment="SSH Access
to the host; useful ICMP types; ping request">
+ <Src neg="False">
+ <ObjectRef ref="sysid0"/>
+ </Src>
+ <Dst neg="False">
+ <ObjectRef ref="id4464X4142577"/>
+ </Dst>
+ <Srv neg="False">
+ <ServiceRef ref="tcp-SSH"/>
+ <ServiceRef ref="sg-Useful_ICMP"/>
+ <ServiceRef ref="icmp-ping_request"/>
+ </Srv>
+ <Itf neg="False">
+ <ObjectRef ref="sysid0"/>
+ </Itf>
+ <When neg="False">
+ <IntervalRef ref="sysid2"/>
+ </When>
+ <PolicyRuleOptions/>
+ </PolicyRule>
+ <PolicyRule id="id4573X4142577" disabled="False" group=""
log="False" position="3" action="Accept" direction="Both" comment="">
+ <Src neg="False">
+ <ObjectRef ref="id4464X4142577"/>
+ </Src>
+ <Dst neg="False">
+ <ObjectRef ref="sysid0"/>
+ </Dst>
+ <Srv neg="False">
+ <ServiceRef ref="sysid1"/>
+ </Srv>
+ <Itf neg="False">
+ <ObjectRef ref="sysid0"/>
+ </Itf>
+ <When neg="False">
+ <IntervalRef ref="sysid2"/>
+ </When>
+ <PolicyRuleOptions/>
+ </PolicyRule>
+ <PolicyRule id="id4601X4142577" disabled="False" group=""
log="False" position="4" action="Deny" direction="Both" comment="">
+ <Src neg="False">
+ <ObjectRef ref="sysid0"/>
+ </Src>
+ <Dst neg="False">
+ <ObjectRef ref="sysid0"/>
+ </Dst>
+ <Srv neg="False">
+ <ServiceRef ref="sysid1"/>
+ </Srv>
+ <Itf neg="False">
+ <ObjectRef ref="sysid0"/>
+ </Itf>
+ <When neg="False">
+ <IntervalRef ref="sysid2"/>
+ </When>
+ <PolicyRuleOptions/>
+ </PolicyRule>
+ <RuleSetOptions/>
+ </Policy>
+ <Routing id="id4630X4142577" name="Routing" comment="" ro="False"
ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
+ <RuleSetOptions/>
+ </Routing>
+ <Interface id="id4472X4142577" dedicated_failover="False" dyn="True"
label="outside" mgmt="False" security_level="0" unnum="False"
unprotected="False" name="eth0" comment="" ro="False">
+ <InterfaceOptions/>
+ </Interface>
+ <Interface id="id4474X4142577" dedicated_failover="False" dyn="False"
label="loopback" mgmt="False" security_level="100" unnum="False"
unprotected="False" name="lo" comment="" ro="False">
+ <IPv4 id="id4475X4142577" name="demeter:lo:ipv4" comment=""
ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
+ <InterfaceOptions/>
+ </Interface>
+ <Management address="0.0.0.0">
+ <SNMPManagement enabled="False" snmp_read_community=""
snmp_write_community=""/>
+ <FWBDManagement enabled="False" identity="" port="-1"/>
+ <PolicyInstallScript arguments="" command="" enabled="False"/>
+ </Management>
+ <FirewallOptions>
+ <Option name="accept_established">true</Option>
+ <Option name="accept_new_tcp_with_no_syn">true</Option>
+ <Option name="check_shading">true</Option>
+ <Option name="configure_interfaces">true</Option>
+ <Option name="eliminate_duplicates">true</Option>
+ <Option name="firewall_dir">/etc</Option>
+ <Option name="firewall_is_part_of_any_and_networks">true</Option>
+ <Option name="freebsd_ip_forward">1</Option>
+ <Option name="limit_value">0</Option>
+ <Option name="linux24_ip_forward">1</Option>
+ <Option name="load_modules">true</Option>
+ <Option name="local_nat">false</Option>
+ <Option name="log_level">info</Option>
+ <Option name="log_prefix">RULE %N -- %A </Option>
+ <Option name="loopback_interface">lo0</Option>
+ <Option name="macosx_ip_forward">1</Option>
+ <Option name="manage_virtual_addr">true</Option>
+ <Option name="openbsd_ip_forward">1</Option>
+ <Option name="pix_add_clear_statements">true</Option>
+ <Option name="pix_assume_fw_part_of_any">true</Option>
+ <Option name="pix_default_logint">300</Option>
+ <Option name="pix_emblem_log_format">false</Option>
+ <Option name="pix_emulate_out_acl">true</Option>
+ <Option name="pix_floodguard">true</Option>
+ <Option name="pix_include_comments">true</Option>
+ <Option name="pix_route_dnat_supported">true</Option>
+ <Option name="pix_rule_syslog_settings">false</Option>
+ <Option name="pix_security_fragguard_supported">true</Option>
+ <Option name="pix_syslog_device_id_supported">false</Option>
+ <Option name="pix_use_acl_remarks">true</Option>
+ <Option name="solaris_ip_forward">1</Option>
+ <Option name="ulog_nlgroup">1</Option>
+ <Option name="verify_interfaces">true</Option>
+ </FirewallOptions>
+ </Firewall>
+ </ObjectGroup>
+ <ObjectGroup id="id1611X4142577" name="Clusters" comment="" ro="False"/>
+ <IntervalGroup id="id1612X4142577" name="Time" comment="" ro="False"/>
+ </Library>
+</FWObjectDatabase>
diff --git a/config/fwbuilder/fwbuilder.service
b/config/fwbuilder/fwbuilder.service
new file mode 100644
index 00000000..987dea1a
--- /dev/null
+++ b/config/fwbuilder/fwbuilder.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=fwbuilder-based packet filter
+After=network.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+WorkingDirectory=/
+ExecStart=/root/releng/config/fwbuilder/%l.fw start
+ExecStop=/root/releng/config/fwbuilder/%l.fw stop
+Restart=no
+
+[Install]
+WantedBy=multi-user.target
